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Appl. No. 09/806,398 

Amendments 

In the Specification: 

On page 1, in the section "Background of the Invention", in the subsection 
"Statement as to Rights to Inventions Made Under Federally-Sponsored Research and 
Development", please substitute the sole pending paragraph with the following paragraph: 

This invention was made with U.S. Government support under Contract Number 
CG9813, awarded by the National Security Agency, and Contract Number 
DAALO 19620002, awarded by the Army Research Laboratory. The U.S. Government has 
certain rights in this invention. 
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Remarks 

The amendment above adds no new matter. 

The amendment corrects a formal matter without changing the scope of the claims. 
Accordingly, Applicants respectfully request that this Amendment be entered. 
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Sterne, Kessler, Goldstein & Fox p.l.l.c. 



Date: 



1 100 New York Avenue, N.W. 
Suite 600 

Washington, D.C. 20005-3934 
(202)371-2600 



Edward W. Yee 
Attorney for Applicants 
Registration No. 47,294 
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Distributed Sha red Kev^ Generation and Management 



Using Fractional Keys 



Field of the Invention 

The invention described herein pertains to communications, and more 
particularly to information security. 

Related Art 

Cryptographic key generation and management is an important problem 
in multicast and group communications (R. Canetti andPinkas, B., "A taxonomy 
of multicast security issues," in Internet-Draft (1998); Hamey, H. and 
Muckenhirn, C, "GKMP Architecture," RFC 2093 (1997); Harney, H. and 
Muckenhirn, C, "GKMP Architecture," RFC 2094 (1997); Ballardie, A., 
"Scalable Multicast Key Distribution," RFC 1949(1996); Poovendran, R., et al, 
"A Scalable Extension of Group Key Management Protocol," Proc. 2nd Ann. 
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ATIRP Conf., Maryland, pp. 187-191 (1998), incorporated herein by reference). 
In many instances, it is desirable to generate a group shared key (SK) for efficient 
intra-group communications. However, having the same SK implies that all the 
group membership is at the same trust level. In a distributed, multicast group, it 
5 is often not possible nor desirable to have the same trust level throughout the 

group. One may be tempted to suggest that a single trust level can be defined by 
choosing the lowest possible trust level as the group trust level. Though such a 
straightforward approach is feasible, one can do better by compartmentalizing the 
group based on local trust levels (Id.). Such a compartmentalization inevitably 
10 least to clustering of a given group. Compartmentalization also helps in having 

a better control over the set of key management and distribution functions as 
noted in (Id.). 

While the entities in each cluster may share a common trust level, it may 
be that the clusters are mutually suspicious and have only partial trust in each 

15 other. Thus, a mechanism is desired that permits mutually suspicious parties to 

come together to generate a shared key. In order to avoid involving (and 
potentially paying) a third party, it is also desirable that the scheme involve only 
the group members and not external parties. 

Some schemes (such as Harney, H. and Muckenhim, C, "GKMP 

20 Architecture," RFC 2093 (1997); Harney, H. and Muckenhirn, C, "GKMP 

Architecture," RFC 2094 (1997); Ballardie, A., "Scalable Multicast Key 
Distribution," RFC 1949 (1996)) propose to replace the traditional (external) Key 
Distribution Center (KDC) with a Group Controller (GC) which can generate and 
distribute the keys. However, in these approaches, a single member is allowed to 

25 generate the keys. This means that group members must place complete trust in 

this group member. In (Poovendran, R., et al, "A Scalable Extension of Group 
Key Management Protocol," Proc. 2nd Ann. ATIRP Conf., Maryland, pp. 187- 
191 (1998)), a panel of members are allowed to generate the keys. However, this 
reference does not present any explicit distributed key generation scheme. 
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(Note: The following references are incorporated herein by reference: 
Bellare and Micali, "Non-Interactive Oblivious Transfer and Applications," in 
Advances in Cryptology - Crypto '89, Springer- Verlag (1989), pp. 547-557; 
Poovendran et al, "A Distributed Shared Key Generation Procedure Using 
5 Fractional Keys," Proceedings of the MILCOM '98, Boston, MA (Oct. 1998); 

Simmons, G.J., "An Introduction to Shared Secret and/or Shared Control 
Schemes and Their Applications," in Contemporary Cryptology: The Science of 
Information Integrity, Simmons, G.J., ed., IEEE Press (1992), pp. 441-497.) 

Summary of the Invention 

10 The invention described herein represents a new class of distributed key 

generation and recovery methods suitable for group communication systems 
where the group membership must be tightly controlled. The key generation 
approach allows entities which may have only partial trust in each other to jointly 
generate a shared key without the aid of an external third party. The group 

1 5 collectively generates and maintains a dynamic group binding parameter, and the 

shared key is generated using a pseudorandom function using this parameter as a 
seed. The methods employ distributed algorithms based on fractional keys (FK). 
The methods allow the members to automatically update the keys in a periodic 
manner without any assistance from an external third party, and to do so using 

20 verifiable secret sharing techniques . The key retrieval method does not require the 

keys to be stored in an external retrieval center. Note that many Internet-based 
applications may have these requirements. 

Features and Advantages 

The invention described herein has the feature of developing a shared key 
25 based on components associated with respective members of a cluster. The 

invention has the additional feature of a dynamic group binding parameter that 
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serves a seed for development of the shared key. The invention has the 
advantage of allowing cooperative key generation without requiring action by an 
independent party. The invention has the further advantage of allowing key 
retrieval without requiring the archiving of keys at an external retrieval center. 

Brief Description of the Figures 

The foregoing and other features and advantages of the invention will be 
apparent from the following, more particular description of a preferred 
embodiment of the invention, as illustrated in the accompanying drawings. 

FIG. 1 is a flowchart illustrating the overall operation of an embodiment 
of the invention. 

FIG. 2 is an example system implementing the invention. 

FIG. 3 is a flowchart illustrating the initialization process as performed by 
a security manager, according to an embodiment of the invention. 

FIG. 4 is a flowchart illustrating the initialization process as performed by 
cluster members in a distributed fashion, according to an embodiment of the 
invention. 

FIG. 5 is a flowchart illustrating subsequent key generation, according to 
an embodiment of the invention. 

FIG. 6 is a flowchart illustrating subsequent key generation using ElGamal 
public key pairs, according to an embodiment of the invention. 

FIG. 7 is a flowchart illustrating key recovery, according to an 
embodiment of the invention. 

FIG. 8 is a flowchart illustrating verification of security manager-based 
initialization, according to an embodiment of the invention. 

FIG. 9 is a flowchart illustrating verification of distributed initialization, 
according to an embodiment of the invention. 

FIG. 10 illustrates an example computing environment of the invention. 
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Detailed Description of the Preferred Embodiments 

A preferred embodiment of the present invention is now described with 
reference to the figures where like reference numbers indicate identical or 
functionally similar elements. Also in the figures, the left most digit of each 
reference number corresponds to the figure in which the reference number is first 
used. While specific configurations and arrangements are discussed, it should be 
understood that this is done for illustrative purposes only. A person skilled in the 
relevant art will recognize that other configurations and arrangements can be used 
without departing from the spirit and scope of the invention. It will be apparent 
to a person skilled in the relevant art that this invention can also be employed in 
a variety of other devices and applications. 

/. Properties of the Key Generation and Management Method 

The following notation is used to describe the different entities involved 
in the method: 

cc u : The one-time pad of the ith member at they'th key update iteration. 

0j: The group binding parameter at the y'th key update iteration. 

{K;, Kf 1 }: Public key pair of the member i. This pair is assumed to be 
updated appropriately to preserve the integrity and confidentiality 
of any communication transaction by and with member i. 

FK U : The FK of the ith member at the j'th key update iteration. 



HFK U : The hidden FK (HFK) of the ith member at the jth key update iteration. 
SKf. The group SK at the yth key update instance. 
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A - B:X: 



Principal A sends principal B a message X. 



In an embodiment of the invention, the message format is 



T t : a real-valued, wallclock time stamp generated by member / 

M: denotes the mode of operation, with "I" for Initialization mode, 
"G" for Generation mode, and "R" for key Recovery mode. 

j: integer-valued, denotes the current iteration number. 

Msg: the message to be sent. 

K s ~': denotes the private key of the sender S. 

K R : public key of the receiver R. 



The following properties are desirable for a multiparty key generation 
scheme: 



An FK contributed by a participating member should have the 
same level of security as the group SK. 

A single participating member, without valid permissions, should 
not be able to obtain the FK of another member. 

If a FK-generating member has physically failed, been 
compromised or removed, the remaining FK-generating members 
should be able to jointly recover the FK of the failed member. 



The first property simply states that the distributed key generation scheme 
has to be such that each FK space has at least the same size as the final SK space. 
Hence, each member may generate FK of different size but, when combined, they 
lead to a fixed length SK. The second property has to do with the need for 
protection of individual FKs that is desired in light of the absence of a centralized 
key generation scheme. In the current scheme, every member performs an 
operation to hide its FK such that, when all the hidden FKs (HFKs) and the group 



{t 



J t ,M ,j,Msg} K;l 




where the variables are defined as follows: 
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parameter are combined, the net result is a new SK. Even if an HFK is known, 
the problem of obtaining the actual FK or the SK needs further computation. The 
requirements of the FK concealment mechanism are described in greater detail 
below. 

If a contributing member physically fails, becomes compromised, or has 
to leave the multicast group, or cluster, then it becomes necessary to replace the 
existing member with a new member. Hence, the newly-elected member should 
be able to securely recover the FK generated by the replaced member. However, 
to ensure the integrity of the scheme, this recovery should be possible only if all 
the remaining contributing members cooperate. This feature deviates significantly 
from the existing key generating schemes (Harney, H. and Muckenhirn, C, 
"GKMP Architecture," RFC 2093 (1997); Harney, H. and Muckenhirn, C, 
"GKMP Architecture," RFC 2094 (1997); Ballardie, A., "Scalable Multicast Key 
Distribution," RFC 1949 (1996)). The requirement that an individual member 
acting alone not be able to obtain the FKs of other contributing members is similar 
to protecting individual private keys in public key cryptography systems. 

The following is a list of assumptions regarding the method: 



There exist two commutative operators ® and 0 which form an 
abelian group when operating on the set of keys. 

It is computationally difficult to perform cryptographic analysis on 
a cryptographically-secure random key by search methods if the 
key length is sufficiently large. 

The keys are all L bits in length, and all members know its length. 

The number of participants in generating the KS is fixed as n 
(where n may be a function of ® and 0). 

There is a mechanism for certifying the members participating in 
the key generation procedure, for securely exchanging the 
quantities required in the algorithm and for authenticating the 
source of these quantities. 

Every member has the capability to generate a cryptographically- 
secure random number of length L bits or longer. 
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With the assumptions above, the key management scheme can be 
described in terms of three major processes: 



I. Initialization, which includes secure initial one-time pad and 
binding parameter generation and distribution; 

5 2. Key Generation, an iterative process including fractional, hidden 

and shared-key generation; and 

3. Key Retrieval, a process that is required only in the case of a 
member node failure or compromise. 



These processes are collectively illustrated in process 100 of FIG. 1. 

10 Process 100 begins with a step 105. In a step 1 10, the key management process 

is initialized. Here, initial one-time pads are generated for each member. In 
addition, a binding parameter is generated and distributed to each member, 
permitting each member to generate the same key, a shared key SK. In a step 
1 15, the members can operate securely using the SK. If, in a step 120, a failure 

1 5 occurs at a member' s node, such as a compromi se of the member or an equipment 

failure, then key retrieval is performed in a step 125. Here, recovery of the 
parameters associated with the failed node is performed. In a step 130, a new 
binding parameter is generated and new one-time pads are created. Operations 
then resume at step 115. 

20 If, in step 120, no failure occurs, process 100 continues with a step 135. 

Here, a determination is made as to whether an update of the SK is needed. This 
may be required, for example, if a member leaves the cluster. Alternatively, an 
operation may simply require periodic updating of the SK. If an update is needed, 
key generation step 130 is performed. Operations then resume at step 115. 

25 The processes of initialization, key generation, and key retrieval are 

described in greater detail below. 



//. Initialization 
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A Group Initiator (GI) first selects a set of n FK-generating members of 
a cluster, and the GI may be one of these members. The GI can then contact a 
Security Manager (SM)-a third party who is not a FK-generating member-who 
generates the initial pads and the binding parameter and distributes them to the 
members. This is illustrated by system 200 of FIG. 2. Member 1, group initiator 
2 1 0, is shown contacting security manager 250, who then distributes the necessary 
data to member 1 through 4, labelled 210 through 240, respectively. The data 
flow for this embodiment is illustrated by dotted lines. In an alternative 
embodiment, GI 210 initiates a distributed procedure among the group members 
(illustrated by solid lines) to create these quantities without the aid of an external 
party. 

A. SM- Based Initialization 

The process of initialization by an SM is illustrated in FIG. 3, process 300, 
according to an embodiment of the invention. Process 300 begins with a step 305. 
In a step 310, the GI generates an initial random one-time pad, a t J , for each 
member i. In a step 315, an initial binding parameter 0; is computed such that ce u 
© a 2 .i © . . . ® a„ , = 0j. In steps 320 through 340, a, , and 6, are sent to each 
member i. In step 320, index i is initialized. In steps 325 and 330, the initial pads 
and binding parameter are distributed to member i, as 



In step 335, index i is incremented. In step 340, a determination is made as to 
whether a n and 0 f have been sent to all members i. If not, then a u and 0, are 
sent to the next member i. The process concludes with a step 345. At the 
conclusion of process 300, each member has 0,, on which a common SK can be 
based. 




B. Distributed Initialization 
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In an alternative embodiment, initialization can be performed through a 
cooperative process involving all members, illustrated as process 400 of FIG. 4. 
The GI (assumed to be a member and denoted in process 400 by the index 1) can 
perform the following steps (see also Koblitz, N., Cryptologia 317-326 (1997), 
incorporated herein by reference) to generate the initial parameters of the group. 
Process 400 begins with a step 405 In a step 410, member 1 generates two 
uniformly-distributed random quantities y and v u of bit length L. In a step 415, 
member 1 operates on these two quantities as Y® v i.i = °Y In a step 420, member 
1 sends the result to member 2 (the "next" member in the group) as 1 - 2: 



Starting with member 2, each member i calculates its own 8j based on the 
previous member's S^, and sends 5; to the next member. This is illustrated in 
steps 425 through 450. In step 425, the index / is initialized to 2 In step 430, 
member / generates a uniform random variable v M of bit length L. In step 435, 
member i then operates on the quantity it received from member / - 1 as 8 M ® v u 
= 5 ; . In step 440, member / then sends the result to member / + 1 as / - / 



In step 445, i is incremented. If, as determined in step 450, each of the n 
members has not generated a respective value 8, , the process returns to step 430, 
where the next member / generates its uniform random variable v u . 

Eventually, the group member / = n receives 5 n _i and, in a step 455, 
generates a uniformly-distributed random quantity v n , of bit length L. In a step 
460, member n performs 8 n ., ® v n A = 8 n . In a step 470, member n securely sends 

8 n to the initiating member / = 1 as n - 1 : |{ T n , 1,1, 8 n } ^ . In a step 475, 
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the GI (member 1) then recovers 5 n and performs y ® S n = ©i In steps 480 
through 494, member 1 sends 6, to each member /. In step 480, the index / is 
initialized to 2. In step 485, member 1 sends 6, to member i as 

w: {{T„rxe,}^. 

5 In step 490, each member; privately computes a ;i = 0j ® In step 492, 

the index /' is incremented. If, in step 494, i > n, so that each member /' has 
received 6, and privately computed a respective a, , then the process 400 
concludes with a step 496. Otherwise, the process returns to step 485, where 
member 1 sends to another member. At the conclusion of process 400, each 

10 member has Q u on which a common SK can be based. 

Note that these two approaches of initialization (security manager- 
controlled initialization and distributed initialization) are not equivalent unless 
additional security assumptions are made. For example, in the case of distributed 
initialization within the group, the following can be done. 

1 5 Assume that members / - 1 and i + 1 conspire to obtain the secret member 

/', where the numerical ordering corresponds to the order of message passing in the 
distributed algorithm. 

1 Member /' - 1 sends 5^ to member /' as per the algorithm, and also 
to member i + I without i's knowledge. 

20 2. Member ;', who is unaware of the conspiracy between /' - 1 and 

/ + 1, computes 6 ; = 8^ ® v u and sends it to member i + 1 
securely. 

3. Member / + 1 can now compute v ui = 5 M © 6 { and obtain the 
secret v u of member /. 

25 However, the secret vi,l generated by member /' become part of the pads 

(i.e. the a's) of members / - 1 and i + 1. Hence, application of this initialization 
assumes that the parties are benign. 



WO 00/19652 



PCT/US99/22710 



-12- 



III. Key Generation 

The key generation algorithm is an iterative process depicted in FIG 5 as 
process 500. Each successive key generation, iteration j, requires as input a set 
of one-time pads a KJ , i = 1, . . ., n, and the binding parameter 6,, which are 
obtained from the initialization process (e.g., process 300 or process 400) for 
iteration 7=1, and from the preceding iterations for j > 1 . 

The iterative key generation process, according to an embodiment of the 
invention, consists of the following. Process 500 begins with a step 505. In steps 
510 through 535, each member / generates a cryptographically-secure random 
number, fractional key FK, Jt and sends it to every other member m. In step 5 1 0, 
index /' is initialized to 1. In step 515, member i generates random number Fk tJ 
In step 520 member / generates a hidden fractional key HFK tJ = a tJ © FK tJ . In 
step 525, member i sends HFK tJ to every other member m as 



In step 530, index i is incremented. If, as determined in step 535, each member 
i has created a respective HFK tJ and sent it to all other members, the process 
continues at a step 540. Otherwise, process 500 returns to step 515, where the 
next member / generates its respective FK tJ . 

Once the exchange of HFKJs is complete, each member computes the 
new group parameter 0, + i and a new shared key SKj. This occurs in steps 540 
through 560. In step 540, index / is initialized to 1 In step 545, member / 
calculates the new binding parameter, 8^, = XQ } ® HFK^ ® HFK 2 j ® . . . ® HFK nj 
= FK Jd © FK 2j ® . . . FK nJ . In step 550, member /' calculates a new one-time pad 
a v+1 = 8^., © FK ld , and a new shared key SK ; =J(Q J+l ) where /(•) is a strong one- 
way pseudo-random function. In step 555, index / is incremented. If, in step 560, 
/ > n, so that each member / has created a new 9 J+I and a new SK p then the 
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process concludes with a step 565. Otherwise, process 500 returns to step 545, 
where the next member / calculates the new binding parameter, 0^,. 

If the resulting group parameter 6^ is cryptographically insecure for a 
particular application, all members can repeat process 500 creating a new high 
5 quality group parameter 0^. 

At the end of process 500, we have the SK for the current iteration Note 
that the quantity is computed such that, for an outsider, obtaining a, J+l is 
very hard, even if the actual shared key SKj is compromised at any key update time 
interval (JJ+ 1 ). Knowing the shared key SK S does not reveal the group parameter 
10 8j and, hence, the tight binding of the members will not be broken by the loss of 

the shared key. 

Note the following additional features of the key scheme: 



Although all the members have each HFK tJ , obtaining the FK tJ or 
a !J+1 of another member involves search in the Z-dimensional 
space, and obtaining their correct combination involves search in 
the (« - \)L - dimensional space. Hence, even if a fellow member 
becomes an attacker, that rogue member faces nearly the same 
computational burden in obtaining the set of n FKs as an outside 
cryptographic analyst; i.e. trust is not unconditional. 

20 • For such an outside attacker, breaking the system requires either 

search in an Z-dimensional space to get 0, or nL - dimensional 
searches to break individual secrets of all the members. Access to 
all n HFKs is alone is insufficient to permit an attacker to 
determine the SK; for that, the attacker must also possess the 

25 current binding parameter 6 which is time-varying and never 

transmitted. If an SK is known to be compromised (perhaps due 
to traffic analysis), information regarding 0 is not obtained , since 
/(•) is a pseudo-random function. 



In an embodiment of the invention, an FK W is used whereby 
30 (FK~j >FKi,j ) is an individual ElGamal public key pair for the member /' at update 

j. The iterative key generation process for this embodiment is illustrated as 
process 600 of FIG. 6. Process 600 begins with a step 605. In steps 610 through 



15 
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640, each member / develops values FK tJ and HFK tJ and exchanges them with 
other members. In step 610, index i is initialized to 1. In step 615, member / 
randomly picks a number FK~j with 0 < FK~ l < p- 2 .In step 620, member i 

generates FK tJ = a FK '- J . Here, (FK~J ,FK l } ) is an individual ElGamal public 

5 key pair for the member / at update j In step 625, member / generates a quantity 

HFK t J = ( a i} + F K t J ) mod p In step 630, member i sends FK tJ and HFK tJ 
to each other member m , in the form 

i H> m:\ [t^GJMFK^^FK^ _\ ■ In step 635, index i is 

L FK ;j-l J FKm j l 

incremented. If, as determined in step 640, i > n, so that each member / has 
10 created a respective HFK hJ and sent it, along with FK tp to all other members, the 

process continues at a step 645. Otherwise, process 600 returns to step 615, 
where the next member / selects its respective FK'J . 

In steps 645 through 665, each member generates a new binding parameter 
8 7+1 and one-time pad a, J+1 . In step 640, index / is initialized to 1 . In step 650, 

1 5 each member i computes = ((p- n - 3)6 J + T t Z"HFK ltJ ) mod(^- l), 

defining GK'^ = & J+1 . Each member /' also computes 
GK J+l =a° KjiS = Y[ ' i= "FK l3j = Y\ \" [ ^ FK '' 1 in step 650. In step 655, member 
/ calculates a ij+I - (GKJ J + FK~J ) mod p . In step 660, index / is 

incremented. In step 665, a determination is made as to whether /' > n, i.e., 
20 whether each member i has calculated the new 8, +I and a new a, J+l . If so, process 

600 concludes with a step 670. Otherwise, process 600 returns to step 650 so that 
the next member / can create a new 0^,. 
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Note that if the resulting group key pair (GK J+! GK^,' 1 ) is 
cryptographically insecure for a particular application, all members can repeat 
process 600, creating a new high quality key pair. 

IV. Retrieval of the Fractional Key and One-time Pad of a Failed Node 

The following steps, illustrated as process 700 of FIG. 7, are involved in 
recovery of the FK tJ and a tJ of the node failed /, where j represents the iteration 
number in which the node was compromised or failed. The process begins with 
a step 705. In a step 710, any one FK-generating member-called the Recovery 
Initiator (RI)- initiates recovery and gives the HFK of the failed node 7 to the 

newly-elected node / asi?/ - i: ^{Tri'RJMFK.j}^ j . In a step 6 1 5, the RI gives 



the newly-elected node i the current SK, as RI - 



, {{^.K./.SS:,}^} . i na 



step 720, distributed initialization is performed, with the following replacements: 
(a) 6 by £ and (b) by P^. Except for the changes in the notation and the 
number of members participating, the process for pad generation is same as for 
distributed initialization. Hence, at the end of this distributed pad generation, each 
member / has P 7j as its pad for key recovery process, and all these pads are bound 
with the parameter £. In steps 725 through 745, each member / calculates a 
modified hidden fractional key HFK l and distributes it to newly elected 

member /. In step 725, index / is initialized to 1 . In step 730, member / computes 
modified hidden fractional key HFK } 7 = P ;</ 0 FK Lj and sends it to the newly- 
elected member / as / - /': j { T i,R J,HFK Im} } , | in step 735 . In step 740, index 



/ is incremented. In step 745, a determination is made as to whether 1 > n, i.e., 
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whether each member / has calculated a modified hidden fractional key HFK l } 

and distributed it to newly elected member /'. If not, process 700 returns to step 
730. Otherwise, process 700 continues with a step 750. 

In step 750, member i combines all of the modified HFKs and recovers the 

5 fractional key FK- using the operation FK- = XZ, © HFK i © . . . © 

HFK i j ® 8 /+1 . In step 755, member / extracts the one-time pad a- ^ using the 
operation a- j = HFK ; j ® FK- j . The process 700 concludes with a step 760. 
Note that the recovered values of FK- and a- } are unique. Once the 

new node recovers the fractional key of the compromised node, it can inform the 
other contributing members to update the iteration number j toy + 1, and then all 
members can execute the key generation algorithm. Note that even though the 
newly-elected member recovers the compromised fractional key and pad, the next 
key generation operation of the new node does not use the compromised key or 
pad. Hence, even if the attacker possesses the fractional key or pad at iteration 
j, it does not allow the attacker to obtain the future fractional keys or pads without 
any computation. 

V. A Specific Choice of the Functions © and 0 

A class of multiparty key generation algorithms is described above where 
a given instance of the class is determined by choice of function ©. Note that one 
20 possible choice for © is the modulo addition operation with respect to a large odd 

prime p, denoted here with e. In this case, we can deduce the following 
computation from the key generation algorithm: 



10 
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HFK X} © HFK 2 j © • • -0 HFK nj = 
FK hj © FK 2j © • • •© FK n j © (n - 1)9 y 

To remove the effect of 6 7 on Q J+1 , we should ensure that X = (p + 1 - n) 

so that 

0 J+1 = (/?+l~n)e ; © HFK hj ® HFK 2j ®->- 
• • ■© HFK n j 
= FK hj © FK 2j ®---§FK nj 

Regarding the choice of the number of members, clearly the choice of n = 2 is not 
appropriate for such a scheme. Although choosing n = 3 does not instantly expose 
a secret pad a, when a participating member becomes an attacker (i.e. a rouge), 
the following attack-called fractional attack (FA)-is feasible. 

Lemma: When ® is an © function, independent of how nontrivial the bit- 
length of the key is, choosing n = 3 permits a FA. 

Proof: Assume that the time instant at which one member / (/ = 1 or 2 or 
3) become a rogue is j. At this time the member have values of a Xj = HFK 2J © 
HFK 3j , a 2j = HFK 3j ® HFK !d , a 3j - HFK tJ © HFK 2j . Every member also has 
access to the current 0,^ and their own FK }J (1 = 1 , 2, 3). At this stage, obtaining 
the a component of any other member is as computationally intensive as an 
outside attacker trying to obtain 0^. However, if a member, say /= 1, is 
compromised and releases its secret a ljy then each of the other members can use 
this and compute FK ld = a Xj © 6,. Since 6^ = FK ld ® FK2 2j © FK 3j , each 
member can now compute the other non-rogue member's FK as well. 

This leads to the following corollary: When ® is an © function, independent 
of how non-trivial the bit-length of the key, the minimum number of members to 
prevent a FA by a single rogue member for the multiparty key scheme is 4. 
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VI. Verifiable Secret Sharing 

Since there are multiple entities involved in key generation, it becomes 
important to have a mechanism to verify if the parameters exchanged actually 
contribute to the generated shared key. The verification steps can be followed at 
(1) SM-based group initialization, (b) distributed group initialization, and (c) 6- 
generation iteration. 

A. SM-based Initialization 

In the case of the SM-based scheme, each member i needs to make sure 
that the SM uses non-trivial values of its a ; , and 0,. Since each member needs to 
protect its individual pad value, one method for openly checking correctness of the 
pads is to generate a public value that will enable all the key generating members 
to checktheir correctness without revealing the actual value of the individual pads. 
Such a verification technique falls under the category of Verifiable Secret Sharing 
(VSS) (Feldman, P., "A Practical Scheme for Non-Interactive Verifiable Secret 
Sharing," Proc. of IEEE Fund. Comp. ScL, pp. 427-437 (1987); Pedersen, T. P., 
Advances in Cryptology - CRYPTO, LNCS 576: 129-140 (1991)). 

If one wants to check if the individual initial pads a lA given by the security 
manager are "good", process 800 of FIG. 8 can be used. The process begins with 
a step 805. In a step 8 1 0, one member (possibly the SM) picks a very large prime 
number q. The number picked should be larger than the possible range of the 0 
value. In a step 820, prime number q is sent to all the members. In a step 825, 
the same member also sends a generator g of the multiplicative group q. In a step 
830, each member picks a random polynomial/ having a value 0 at the origin. 
In a step 835, each member adds the polynomial to its pad value, generates 

- g a, ' 1+f ' and broadcasts the values to all the members. In a step 840, each 
member i computes g &1 - J~J ^_"« z j = g e> ■ In a step 845, each member 
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checks if the value is equal to g 01 at the origin. If not, then the verification fails 

in a step 850. If the check of step 845 passes, then in a step 855, each member 
checks to see that 

1 1, ;.• 

If not, verification fails in step 850. Failed verification means that some or all of 
the members' one-time pads do not correspond to 6,. Process 800 concludes with 
a step 860. 

B. Distributed Initialization 

In the case of distributed initialization, process 900 of FIG. 9 can be used 
to check if the GI, member 1, has produced a 6, using contributions from all the 
group members. The process begins with a step 905. In a step 910, one member 
(possibly the GI) picks a very large prime number q. The number picked should 
be larger than the possible range of the 6, value. In a step 915, prime number q 
is sent to all the members. In a step 920, the same member also sends a generator 
g of the multiplicative group under q to all members. In a step 925, GI computes 

g 1 and g v ' 2 , and makes them available to all the group members. In a step 930, 

each member / publishes g v " making it available only to the group members. 

In a step 935, each member / checks if g e ' = Y\ 7 _" g 1 ' 1 - If tne equality is not 

true, then failed verification is indicated in a step 940. Failure (inequality) means 
that the binding parameter 6, and the individual one-time pads do not agree. 
Since at each step of adding their secrets members published the broadcast values, 
it is possible to check which member cheated if there is no collaboration. If there 
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is a collaboration, then the last among the collaborating member can be identified 
by the non-collaborating member. 

Note that similar testing can be done for the key generation process. 

VII. Environment 

The present invention may be implemented using hardware, software or 
a combination thereof. The operations described above may be implemented in 
a computer system or other processing system at the node of a member. An 
example of such a computer system 1000 is shown in FIG. 10. The computer 
system 1000 includes one or more processors, such as processor 1004. The 
processor 1004 is connected to a communication infrastructure 1006, such as a 
bus or network). Various software implementations are described in terms of this 
exemplary computer system. After reading this description, it will become 
apparent to a person skilled in the relevant art how to implement the invention 
using other computer systems and/or computer architectures. 

Computer system 1000 also includes a main memory 1008, preferably 
random access memory (RAM), and may also include a secondary memory 1010. 
The secondary memory 1010 may include, for example, a hard disk drive 1012 
and/or a removable storage drive 1014, representing a floppy disk drive, a 
magnetic tape drive, an optical disk drive, etc. The removable storage drive 1014 
reads from and/or writes to a removable storage unit 1018 in a well known 
manner. Removable storage unit 1018, represents a floppy disk, magnetic tape, 
optical disk, or other storage medium which is read by and written to by 
removable storage drive 1014. As will be appreciated, the removable storage unit 
1018 includes a computer usable storage medi um having stored therein computer 
software and/or data. 

In alternative implementations, secondary memory 1010 may include other 
means for allowing computer programs or other instructions to be loaded into 
computer system 1000. Such means may include, for example, a removable 
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storage unit 1022 and an interface 1020. Examples of such means may include a 
program cartridge and cartridge interface (such as that found in video game 
devices), a removable memory chip (such as an EPROM, or PROM) and 
associated socket, and other removable storage units 1022 and interfaces 1020 
which allow software and data to be transferred from the removable storage unit 
1022 to computer system 1000. 

Computer system 1000 may also include a communications interface 1024. 
Communications interface 1024 allows software and data to be transferred 
between computer system 1000 and external devices. Examples of 
communications interface 1024 may include a modem, a network interface (such 
as an Ethernet card), a communications port, a PCMCIA slot and card, etc. 
Software and data transferred via communications interface 1024 are in the form 
of signals 1028 which maybe electronic, electromagnetic, optical or other signals 
capable of being received by communications interface 1024. These signals 1028 
are provided to communications interface 1024 via a communications path (i.e., 
channel) 1026. This channel 1026 carries signals 1028 and may be implemented 
using wire or cable, fiber optics, a phone line, a cellular phone link, an RF link and 
other communications channels. In an embodiment of the invention in which 
computer system 1000 represents the computer system of a member's node, 
signals 1028 comprise information flowing to and from the node, such as the 
encrypted form of 5j in step 440, and the encrypted form of HFK i} of step 525. 

In this document, the terms "computer program medium" and "computer 
usable medium" are used to generally refer to media such as removable storage 
units 1018 and 1022, a hard disk installed in hard disk drive 1012, and signals 
1028. These computer program products are means for providing software to 
computer system 1000. 

Computer programs (alsocalled computer control logic) are stored in main 
memory 1008 and/or secondary memory 1010. Computer programs may also be 
received via communications interface 1024. Such computer programs, when 
executed, enable the computer system 1000 to implement the present invention 
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as discussed herein. In particular, the computer programs, when executed, enable 
the processor 1004 to implement the present invention. Accordingly, such 
computer programs represent controllers of the computer system 1000. Where 
the invention is implemented using software, the software may be stored in a 
5 computer program product and loaded into computer system 1000 using 

removable storage drive 1014, hard drive 1012 or communications interface 1024. 
In an embodiment of the present invention, the steps of processes 300 through 
900 are implemented in software that can therefore be made available to processor 
1004 at a member node through any of these means. 



10 VIII. Conclusion 



While various embodiments of the present invention have been described 
above, it should be understood that they have been presented by way of example, 
and not limitation. It will be apparent to persons skilled in the relevant art that 
various changes in detail can be made therein without departing from the spirit and 
15 scope of the invention. Thus the present invention should not be limited by any 

of the above-described exemplary embodiments, but should be defined only in 
accordance with the following claims and their equivalents. 
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What Is Claimed Is: 



1 . A method of generating and managing shared keys for a plurality 
of members of a cluster, comprising the steps of 

(a) system initialization to produce a functionally generated 
5 initial shared key; 

(b) functional generation of a next shared key; and 

(c) key recovery in the event of either compromise or failure 



The method of claim 1, wherein step (a) comprises the steps of: 

(i) generating a random initial one-time pad a L2 for each 

(ii) calculating an initial binding parameter 8] based on each 
= a Ui ®a 2l © — ® ot n i wherein ® is a commutative operator; and 

(iii) sending 8, and a, , to each member i. 



3. The method of claim 2, wherein step (iii) comprises the step of 
encrypting Q 1 and oc u in the form 




for transmission to each member i, where 

T SM is a timestamp generated by a security manager (SM), 
20 I is an indicator of an initialization mode, 

1 denotes the first interaction of key generation, 

£ s ~' is an encryption operation using a private component of a 

private/public key pair of the security manager, and 
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K t indicates encryption using a public component of a 
private/public bey pair of member i. 

4. The method of claim 1, wherein step (a) comprises the steps of: 
(i) generation, by a member 1, of random quantities y and v, ,; 

5 (ii) calculation by the member 1, of Y®v u =S,, wherein ® is a 

commutative operator; 

(iii) sending, by the number 1, of 5 2 to a member 2; 

(iv) receipt, by a member z, of 8,-., from a preceding member i- 1 ; 

(v) generation, by member i, of random quantity v u ; 
10 (vi) calculation, by member z, of S M ® v ( ,=8,; 

(vii) sending, by member z, of 6,- to a member z+1; 

(viii) sending, by a last member n, of 8„ to member 1 ; 

(ix) calculation, by member 1, of y®6 n =8j; 

(x) sending, by member 1, of 0j to each member; 
15 (xi) calculation, by each member, of 0i®v u = a iV 

5. The method of claim 4, wherein step iii) comprises the step of 
encrypting Oj in the form 

|{rj , / ,1, 5 , }^_, | for transmission to member 2, 

step (vi) comprises the step of encrypting 8, in the form 
20 j{r, , / ,1 , 8, } K | for transmission to member z+1 , 

step (vii) comprises the step of encrypting 8„ in the form 
|{l n ,1 ,\,§ n } K _ t | for transmission to member 1, and 
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step (ix) comprises the step of encrypting 6; in the form 
|{r, , / ,1, 0[ } K ., | for transmission to member i. 

6. The method of claim 1, wherein step (b) comprises the steps of: 

(i) generation, by each member i, of a cryptographically secure 
5 random number, Fk ;j ., where j denotes the key generation iteration; 

(ii) calculation, by each member i, of HFK.j = a u © FK tJ , where 
© is a commutative operator; 

(iii) sending, by each member z, of HFK 1; - to each other 



member; 



cluster; 



(iv) calculation, by each member i, of 

0. +1 = A6j ® HFK /y ® HFK 2/ @ HFK nJ . 

where A. is a scaling factor and n is the number of members in the 



(v) calculation, by each member i, of 
a y+I = e y+/ @FK (J 

(vi) calculation, by each member i, of a shared key 
SK,. +I =f(6 ;+1 ) 

where f is a strong one way function, to form a fractionally 
generated next shared key. 

7. The method of claim 6, wherein the step (iii) comprises the step of 
encrypting HFK U in the form 



j^.G.j.HF^}^} for 



transmission to each other 



member m. 



25 



8. The method of claim 6, wherein 
step (i) comprises the steps of: 
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(A) random selection, by each member i, of a number FK l ^ j , 



where 0< FK t ' <p-2, wherein p is a large odd prime number, such that p-l has 



large prime factors; and 



(B) calculation, by each member i, of 



step (ii) comprises the step of calculation, by each member i, of 
HFK,j = (<x 0 + FKJ) mod p; 

step (iii) comprises the step of encrypting, by each member i, of 
HFK,j in the form 



for transmission to each other member m; 

step iv) comprises the step of calculating, by each member i, of 

Q j+l = ((p-n-3) 6,.+ HFK 1} ) mod(p-l) 

= G^;i;and 

step (v) comprises the step of calculation, by each member /, of 
a M+I ={GK]l x + FK;)) mod p. 

9. The method of claim 1, wherein step c) comprises the steps of: 

(i) sending, by a recovery initiator RI, of the hidden fractional 
key of a failed node i , HFK- . , to a newly elected member i, where j represents 

the iteration in which node i failed; 

(ii) sending, by RI, of SKj to member i; 
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(iii) performing a distributed initialization process, so that each 
member I receives a binding parameter i and a random pad P u ; 

(iv) calculation, by each member I, of HFK l} = 0 FJ^-, 
where 0 is a commutative operator; 

(v) sending, by each member I, of HFK l} to member i; 

(vi) calculation, by number i, of 

FK f j = X^0 HFK,j © - ® HFK„.jj ® B J+I , where ® is a 

commutative operator; and 

(vii) calculation, by member i, of 
a T ] =HFK ;j © FK F j 

10. The method of claim 9, wherein 

step (i) comprises the step of encrypting H FK r t in the form 

j jT^ ,R,j, HFK- j j _ ( | for transmission to member i, where R indicates 

recovery mode; 

step (ii) comprises the step of encrypting SKj in the form 

^T Rl ,R,j,SK^ j for transmission to member i; and 

step (v) comprises the step of encrypting HFK lk in the form 




1 1 . The method of claim 2, further comprising the step of 

(d) verifying that each of initial pad a u has contributed to the 
calculation of 8,, performed after step (a). 
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12. The method of claim 11, wherein step (d) comprises the steps of: 

(i) selection, by a predetermined member of the cluster, of a 

large prime q; 

(ii) distribution of q to all members; 

(iii) selection, by the predetermined member, of a generator g 
of the multiplicative group under q; 

(iv) distribution of g to all members; 

(v) selection by each member i, of a random polynomials- 
having a value of zero at the origin; 

(vi) calculation, b; 

(vii) sending, by each member i, of d l l to all other members; 

(viii) calculation, by each member i, of 

g §1 = Y\ ; l"ct, j - g e ' + ^ f ' > evaluated at the origin; 

(ix) determination, by each member i, of whether g e ' = g e ' , 

evaluated at the origin; and 

(x) determination, by each member i, of whether 



n 



13. The method of claim 4, further comprising the step of: 

(e) verifying that each initial pad a,- , has contributed to the 
calculation of 6„ performed after step (a). 

14. The method of claim 12, wherein step (e) comprises the steps of: 
(i) selection, by a predetermined member of the cluster, of a 

large prime q, 
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(ii) distribution of q to all members; 

(iii) selection, by the predetermined member, of a generator g 
of the multiplicative group under q; 

(iv) distribution of g to all members; 

(v) calculation, by member 1, of g y and g v " ; 

(vi) making g Y and g v ' ' available to all members; 

(vii) calculation, by each member i, of g V,A ; 

(viii) publication, by each member i, of g v '-' for other members 

of the cluster only; 

(ix) determination, by each member z, of whether 



15. A system for generating and managing shared keys for a plurality 
of members of a cluster, comprising 

initialization means for performing system initialization to produce 
15 a fractionally generated initial shared key; 

fractional generation means for fractional generation of a next 
shared key; and 

recovery means for performing key recovery in the event of either 
compromise or failure of a node. 

20 16. A computer program product comprising a computer usable 

medium having computer readable program code that executes on a computer that 
participates in the generation and management of shared keys for a plurality of 
members of a cluster, said computer readable program code comprising: 
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(a) first computer readable program code logic for causing the 
computer to participate in system initialization, wherein the initialization produces 
a fractionally generated initial shared key; 

(b) second computer readable program code logic for causing 
the computer to participate in the fractional generation of a next shared key; and 

(c) third computer readable program code logic for causing the 
computer to participate in key recovery in the event of either compromise of 
failure of a node. 
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Declaration for Patent Application 

Docket Number: 1797.014PC02 

As a below named inventor, I hereby declare that: 

My residence, mailing address and citizenship are as stated below next to my name. 

I believe I am the original, first and sole inventor (if only one name is listed below) or an original, first and joint inventor (if 
plural names are listed below) of the subject matter that is claimed and for which a patent is sought on the invention entitled 
Distributed Shared Key Generation and Management Using Fractional Keys, the specification of which is attached hereto 
unless the following box is checked: 

B was filed on October 1, 1999 ; 

as United States Application Number or PCT International Application Number PCT/US99/22710 ; and 
was amended on (if applicable). 

I hereby state that I have reviewed and understand the contents of the above identified specification, including the claims, as 
amended by any amendment referred to above. 

I acknowledge the duty to disclose information that is material to patentability as defined in 37 C.F.R. § 1.56. 

I hereby claim foreign priority benefits under 35 U.S.C. § 1 19(a)-(d) or § 365(b) of any foreign application(s) for patent or 
inventor's certificate, or § 365(a) of any PCT international application, which designated at least one country other than the 
United States listed below, and have also identified below any foreign application for patent or inventor's certificate, or PCT 
international application having a filing date before that of the application on which priority is claimed. 

Prior Foreign Application(s) Priority Claimed 



(Application No.) (Country) (Day /Month/Year Filed) 



(Application No.) (Country) (Day/Month/Year Filed) 

I hereby claim the benefit under 35 U.S.C. § 1 19(e) of any United States provisional application(s) listed below. 

60/102,633 October 1, 1998 

(Application No.) (Filing Date) 



(Application No.) (Filing Date) 

I hereby claim the benefit under 35 U.S.C. § 120 of any United States application(s), or under § 365(c) of any PCT 
international application designating the United States, listed below and, insofar as the subject matter of each of the claims of 
this application is not disclosed in the prior United States or PCT international application in the manner provided by the first 
paragraph of 35 U.S.C. § 112,1 acknowledge the duty to disclose information that is material to patentability as defined in 37 
C.F.R. § 1.56 that became available between the filing date of the prior application and the national or PCT international 
filing date of this application. 

PCT/US99/22710 October 1. 1999 Pending 



(Application No.) (Filing Date) (Status - patented, pending, abandoned) 



(Application No.) (Filing Date) (Status - patented, pending, abandoned) 



- Page 1 of 2 - 



Appl. No. PCT7US99/22710 
Docket No. 1797.0 14PC02 



Send Correspondence to: 



Direct Telephone Calls to: 



jSXER24Ej&ESSJL£R^^ P.L.L.C. 

Suite 600 
W ashington, D.C_ 20005^3934 _ 



I hereby declare that all statements made herein of my own knowledge are true and that all statements made on information 
and belief are believed to be true; and further that these statements were made with the knowledge that willful false 
statements and the like so made are punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United 
States Code and that such willful false statements may jeopardize the validity of the application or any patent issued thereon. 



Full name of sole or first inventor 


Raadhakrishnan POOVENDRAN 




Signature of sole or first inventor Date 


Residence 


Greenbelt, Maryland 




Citizenship 


United States 




Mailing Address 


P O. Box 474, Greenbelt, Maryland 20768 






Full name of second inventor 


MatthewScotiCl^iM. 




Signature of second inventor 




Date 


Residence 


Kensington. Maryland /Vj f~) 




Citizenship 


United States 




Mailing Address 


10122 Ashwood Drive, Kensington, Maryland 20895 





le of third inventor 

John S. BARAS 



Residence 

Potomac, Maryland 



Citizenship 


United States 


Mailing Address 


10912 Burbank Drive, Potomac, Maryland 20854 




(Supply similar information and signature for subsequent joint inventors, if any) 
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Docket No. 1 797.0 14PC02 
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Sterne, Kessler, Goldstein & Fox p.l.l.c. 

) 100 New York Avenue, TM.W. 

Suite 600 
Washington, D.C. 20005-3934 

Direct Telephone Calls to: 

(202)371-2600 

] hereby declare that all statements made herein of my own knowledge are true and that all statements made on information 
and belief are believed to be true; and further that these statements were made with the knowledge that willful false 
statements and the like so made arc punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United 
Stares Code and that such willful false statements may jeopardise the validity of ihe application or any patent issued thereon. 





FuJl name of sole or first inventor 


Raadhakrishnan POOVENDRAN 






Signature of sole or first inventor 




Dale 




Residence 


Greenbelt, Maryland 






Citizenship 


United States 






Mailing Address 


I'.O. Box 474, Greenbelt, Maryland 20766 










Full name of second inventor 


Matthew Scott CORSON 






Signature of second inventor Dalc 




Residence 


Kensington. Maryland 






Citizenship 


United States 






Mailing Address 


1 0122 Ashwood Drive, Kensington. Maryland 2089S 
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Full name of third inventor 






Signature of third inventor 








Residence 


Potomac Maryland A*l LJ 






Citizenship 


United Slates 






Mailing Address 


! 09 12 Burbank Drive. Potomac, Maryland 20854 
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POWER OF ATTORNEY FROM ASSIGNEE 



University of Maryland, College Park, a university of Maryland, having a principal place of business at Office of 
Technology Commercialization. University of Maryland. College Park, 6200 Baltimore Avenue, Suite 300, College 
Park, MP 20742-9520 . is assignee of the entire right, title and interest for the United States of America (as defined 
in 35 U.S.C. § 100), by reason of an Assignment to the Assignee executed on 4/26/00, 4/20/00. and 4/24/00 of an 
invention known as Distributed Shared Key Generation and Management Using Fractional Keys ( Attorney Docket 
No. 1797.014PC02), which is disclosed and claimed in a patent application of the same title by the inventor(s) 
Poovendran et al. (said application filed on October 1. 1999 at the U.S. Patent and Trademark Office, having 
Application Number PCT/US99/22710 ) . 

The Assignee hereby appoints the following U.S. attorneys to prosecute this application and any continuation, 
divisional, continuation-in-part, or reissue application thereof, and to transact all business in the U.S. Patent and 
Trademark Office connected therewith: Robert Greene Sterne, Esq. , Reg. No . 28.912: Edward J. Kessler, Esq., Reg. 
No. 25^88; Jorge A. Goldstein, Esq., Reg. No. 29,021 ; David K.S. Cornwell, Esq., Reg. No. 31,944; Robert W. 
Esmond, Esq., Reg. No. 32,893 ; Tracy-Gene G. Durkin, Esq., Reg. No. 3 2,83 1 ; Michele A. Cimbala, Esq., Reg. 
No. 33j|5_l ; Michael B. Ray, Esq., Reg. No. 33,997 ; Robert E. Sokohl, Esq., Reg. No. 36,013; Eric K. Steffe, Esq., 
Reg. No. j36,&88, Michael Q. Lee, Esq., Reg. No. 35,239; Steven R. Ludwig, Esq., Reg. No. 36,203; John M. 
Covert, Esq., Reg. No. 38,255; and Linda E. Alcorn, Esq., Reg. No. _3<L5,88. The Assignee hereby grants said 
attorneys the power to insert on this Power of Attorney any further identification that may be necessary or desirable 
in order to comply with the rules of the U.S. Patent and Trademark Office. 



Send correspondence to: 



Sterne, Kessler, Goldstein & 
1 100 New York Avenue, N.W. 
Suite 600 

Washington, D.C. 20005-3934 
U.S.A. 



Direct phone calls to 202-371-2600. 



FOR: University of Maryland, College Park 
SIGNATURE/ Ip^^X^J £^TZ^ ~ 



BY 
TITLE: 
DATE: 



James A. Poulos, III 



Executive Director 



2 f . ZOO j 



©200 1 Sterne, Kessler, Goldstein & Fox p l.l.c. p \usERS\DKELSEY\Attny d< 



Certificate Under 37 C.F.R. § 3.73(b) 

Applicant/Patent Owner: Poovendran et al. 

Application No./Patent No.: PCT/US99/22710 Filed/Issue Date: October 1. 1999 

Entitled: Distributed Shared Key Generation and Management Using Fractional Keys 

University of Maryland, College Park , a university , 

(Name of Assignee) (Type of Assignee, e g , corporation, partnership, university, government agency, etc ) 

states that it is: 

1 . [X] the assignee of the entire right, title, and interest, or 

2. [ ] an assignee of an undivided part interest 

in the patent application/patent identified above by virtue of either: 

A. [X] An Assignment from the inventor(s) of the patent application/patent identified above. The assignment was 

recorded in the Patent and Trademark Office at Reel , Frame , or for which a copy thereof is 

attached. 

OR 

B. [ ] A chain of title from the inventor(s) of the patent application/patent identified above to the current 

assignee as shown below: 



The document was recorded in the Patent and Trademark Office at 

Reel , Frame , or for which a copy thereof is attached. 



The document was recorded in the Patent and Trademark Office at 

Reel , Frame , or for which a copy thereof is attached. 



The document was recorded in the Patent and Trademark Office at 

Reel , Frame , or for which a copy thereof is attached. 

[ ] Additional documents in the chain of title are listed on a supplemental sheet. 

[X] Copies of assignments or other documents in the chain of title are attached. 

[NOTEi A separate copy {i.e., the original assignment document or a true copy of the original 
document) must be submitted to Assignment Division in accordance with 37 CFR Part 3, if the 
assignment is to be recorded in the records of the PTO. See MPEP 302-302.8] 

The undersigned (whose title is supplied below) is empowered to act on behalf of the 

Date: 

Name: James A. Poulos. Ill 



Executive Director 
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INTELLECTUAL PROPERTY ASSIGNMENT AGREEMENT 



THIS AGREEMENT by and between John S. Baras, an individual having a principal 
residence at 109112 Burbank Drive, Potomac, Maryland 20854 (hereinafter referred to as 
"Assignor"), and the University of Maryland, having a principal office at Office of Technology 
Liaison, College Park, Maryland 20742 (hereinafter referred to as "Assignee"). 

WI TNESSETH: 

WHEREAS, Assignor has created and developed certain inventions, improvements, 
discoveries, software, or other intellectual property, as described in Assignee Invention Disclosure 
No. IS-98-012 and IS-99-027 and in International Application No. PCT/US99/22710 titled 
"Distributed Shared Key Generation and Management Using Fractional Keys" filed October 
1, 1999 (hereinafter collectively referred to as the "Works"); and 

WHEREAS, Assignor agrees that, to the extent the Works are, by operation of law or 
otherwise, not deemed to be works made for hire within the meaning of the Copyright Act, (Title 1 7, 
U.S.C. Section 1 0 1 , et seq.), Assignor agrees to assign all of his/her right, title and interest in and to 
the Works to Assignee, and further agrees to take such further actions and to execute such further 
instruments that Assignee might find reasonable or necessary to perfect or to evidence more clearly 
its right and claim to exclusive ownership of all of Assignor' s worldwide intellectual property interests 
respecting the Works; and 

WHEREAS, Assignor and Assignee now wish to perfect and to evidence more clearly the 
right and claim of Assignee to exclusive ownership of all of Assignor' s intellectual property interests 
respecting the Works. 

NOW, THEREFORE, in consideration of the rights granted to Assignor under the University 
of Maryland Patent Policy and Copyright Policy , as approved by the Board of Regents of the 
University of Maryland, and as amended by them from time to time, and other good and valuable 
consideration furnished by Assignee to Assignor, the receipt and sufficiency of which are hereby 
acknowledged, Assignor and Assignee, intending to be legally bound, do hereby covenant and agree 
as follows: 

Section 1. Assignment of the Works . 

Assignor hereby assigns, transfers and conveys to Assignee, its successors, assigns or other 
legal representatives, without the necessity of any consideration in addition to that recited herein, all 
of Assignor's right, title and interest in and to the Works. This assignment shall be operative with 
respect to all intellectual property rights in and to the Works, including (without limitation), (i) all 
copyrights in the United States and elsewhere, including all rights of registration, publication, 
renewal, rights to create derivative works and all other rights incident to copyright ownership, for the 



residue now unexpired of the present term of any and all such copyrights and any term thereafter 
granted during which the Works are entitled to copyright; (ii) all trade secrets, inventions, know-how, 
ideas and confidential information embodied or reflected in the Works, including any shop rights, for 
the longest period of protection accorded to such interest under applicable law; and (iii) all patent 
rights in the United States and elsewhere, including all rights of registration, publication, renewal, and 
all other works incident to copyright ownership, for the longest period of protection accorded to such 
interests under applicable law. 



Section 2. University of Maryland Copyright and Patent Policies . 

The assignment of rights perfected hereunder shall be governed by the University of Maryland 
Patent Policy and Copyright Policy as approved by the Board of Regents of the University of 
Maryland, and as amended by them from time to time. Royalty income shall be allocated as set forth 
in those policies. 

Section 3. Warranty . 

Assignor warrants and covenants that he/she is an author or inventor of the Works and that 
as of the date of this Assignment, has taken no action respecting the Works which purports or 
attempts to transfer or encumber any right, title or interest in or to the Works to any other party; and 
covenants not to take such action in the future. 

Section 4. Jurisdiction . 

The validity, interpretation, and effect of this agreement shall be governed by the laws of the 
State of Maryland and of the United States of America. Any legal proceedings involving claims or 
disputes regarding this agreement shall be brought in the appropriate court in the State of Maryland. 

WHEREAS, the parties have caused this Assignment to be executed on the dates below. 



ASSIGNOR 





Printed Name: John S. Baras 



ASSIGNEE (The University of Maryland) 



Acknowledged and Agreed to by: 




Title: 
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INTELLECTUAL PROPERTY ASSIGNMENT AGREEMENT 



THIS AGREEMENT by and between Mathew Scott Corson, an individual having aprincipal 
residence at 10122 Ashwood Drive, Kensington, Maryland 20895 (hereinafter referred to as 
"Assignor"), and the University of Maryland, having a principal office at Office of Technology 
Liaison, College Park, Maryland 20742 (hereinafter referred to as "Assignee"). 

WT TNESSETH: 

WHEREAS, Assignor has created and developed certain inventions, improvements, 
discoveries, software, or other intellectual property, as described in Assignee Invention Disclosure 
No. IS-98-012 and IS-99-027 and in International Application No. PCT/US99/22710 titled 
"Distributed Shared Key Generation and Management Using Fractional Keys" filed October 
1, 1999 (hereinafter collectively referred to as the "Works"); and 

WHEREAS, Assignor agrees that, to the extent the Works are, by operation of law or 
otherwise, not deemed to be works made for hire within the meaning of the Copyright Act, (Title 17, 
U.S.C. Section 1 0 1 , et seq.), Assignor agrees to assign all of his/her right, title and interest in and to 
the Works to Assignee, and further agrees to take such further actions and to execute such further 
instruments that Assignee might find reasonable or necessary to perfect or to evidence more clearly 
its right and claim to exclusive ownership of all of Assignor' s worldwide intellectual property interests 
respecting the Works; and 

WHEREAS, Assignor and Assignee now wish to perfect and to evidence more clearly the 
right and claim of Assignee to exclusive ownership of all of Assignor' s intellectual property interests 
respecting the Works. 

NOW, THEREFORE, in consideration of the rights granted to Assignor under the University 
of Maryland Patent Policy and Copyright Policy, as approved by the Board of Regents of the 
University of Maryland, and as amended by them from time to time, and other good and valuable 
consideration furnished by Assignee to Assignor, the receipt and sufficiency of which are hereby 
acknowledged, Assignor and Assignee, intending to be legally bound, do hereby covenant and agree 
as follows: 

Section 1. Assignment of the Works . 

Assignor hereby assigns, transfers and conveys to Assignee, its successors, assigns or other 
legal representatives, without the necessity of any consideration in addition to that recited herein, all 
of Assignor's right, title and interest in and to the Works. This assignment shall be operative with 
respect to all intellectual property rights in and to the Works, including (without limitation), (i) all 
copyrights in the United States and elsewhere, including all rights of registration, publication, 



fl 



renewal, rights to create derivative works and all other rights incident to copyright ownership, for the 
residue now unexpired of the present term of any and all such copyrights and any term thereafter 
granted during which the Works are entitled to copyright; (ii) all trade secrets, inventions, know-how, 
ideas and confidential information embodied or reflected in the Works, including any shop rights, for 
the longest period of protection accorded to such interest under applicable law; and (iii) all patent 
rights in the United States and elsewhere, including all rights of registration, publication, renewal, and 
all other works incident to copyright ownership, for the longest period of protection accorded to such 
interests under applicable law. 



Section 2. University of Maryland Copyright and Patent Policies. 

The assignment of rights perfected hereunder shall be governed by the University of Maryland 
Patent Policy and Copyright Policy as approved by the Board of Regents of the University of 
Maryland, and as amended by them from time to time. Royalty income shall be allocated as set forth 
in those policies. 

Section 3. Warranty . 

Assignor warrants and covenants that he/she is an author or inventor of the Works and that 
as of the date of this Assignment, has taken no action respecting the Works which purports or 
attempts to transfer or encumber any right, title or interest in or to the Works to any other party; and 
covenants not to take such action in the future. 

Section 4. Jurisdiction . 

The validity, interpretation, and effect of this agreement shall be governed by the laws of the 
State of Maryland and of the United States of America. Any legal proceedings involving claims or 
disputes regarding this agreement shall be brought in the appropriate court in the State of Maryland. 

WHEREAS, the parties have caused this Assignment to be executed on the dates below. 



ASSIGNOR 



Agreed to by: 





Printed Name: Mathew Scott Corson 



ASSIGNEE (The University of Maryland^) 



Acknowledged and Agreed to by: 




Title: 



Acting Executive Director 




INTELLECTUAL PROPERTY ASSIGNMENT AGREEMENT 



THIS AGREEMENT by and between Raadhakrishnan Poovendran, an individual having 
a principal residence at P.O. Box 474, Greenbelt, Maryland 20768 (hereinafter referred to as 
"Assignor"), and the University of Maryland, having a principal office at Office of Technology 
Liaison, College Park, Maryland 20742 (hereinafter referred to as "Assignee"). 

WT TNESSETH: 

WHEREAS, Assignor has created and developed certain inventions, improvements, 
discoveries, software, or other intellectual property, as described in Assignee Invention Disclosure 
No. IS-98-012 and IS-99-027 and in International Application No. PCT/US99/22710 titled 
"Distributed Shared Key Generation and Management Using Fractional Keys" filed October 
1, 1999 (hereinafter collectively referred to as the "Works"); and 

WHEREAS, Assignor agrees that, to the extent the Works are, by operation of law or 
otherwise, not deemed to be works made for hire within the meaning of the Copyright Act, (Title 1 7, 
U.S.C. Section 1 0 1 , et seq.), Assignor agrees to assign all of his/her right, title and interest in and to 
the Works to Assignee, and further agrees to take such further actions and to execute such further 
instruments that Assignee might find reasonable or necessary to perfect or to evidence more clearly 
its right and claim to exclusive ownership of all of Assignor's worldwide intellectual property interests 
respecting the Works; and 

WHEREAS, Assignor and Assignee now wish to perfect and to evidence more clearly the 
right and claim of Assignee to exclusive ownership of all of Assignor's intellectual property interests 
respecting the Works. 

NOW, THEREFORE, in consideration of the rights granted to Assignor under the University 
of Maryland Patent Policy and Copyright Policy , as approved by the Board of Regents of the 
University of Maryland, and as amended by them from time to time, and other good and valuable 
consideration furnished by Assignee to Assignor, the receipt and sufficiency of which are hereby 
acknowledged, Assignor and Assignee, intending to be legally bound, do hereby covenant and agree 
as follows: 

Section 1. Assignment of the Works . 

Assignor hereby assigns, transfers and conveys to Assignee, its successors, assigns or other 
legal representatives, without the necessity of any consideration in addition to that recited herein, all 
of Assignor's right, title and interest in and to the Works. This assignment shall be operative with 
respect to all intellectual property rights in and to the Works, including (wlhuul liniiULiuir), (i)-all- 
cop yrightc in the - UnitH States and elsewhrre, including all rights of registration, -p«fe4iea*k*i, 
renewal, ri g htG to create derivative work o and all other r i ghts inririrnt to copyright ov aicrahip^ oi 1 the 
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re sidue now unexpired of the present term of any and all such - copyrights and any term therea fter 
g ranted during which tho Works are entitled to c opycight; (ii) all trade secrets, inventions, know-how, 
ideas and confidential information embodied or reflected in the Works, including any shop rights, for 
the longest period of protection accorded to such interest under applicable law; and (iii) all patent 
rights in the United States and elsewhere, including all rights of registration, publication , renewal, and- 
all other works incident to copyright own e rship , for the longest period of protection accorded to such 
interests under applicable law. 



Section 2. University of Maryland Copyright and Patent Policies . 

The assignment of rights perfected hereunder shall be governed by the University of Maryland 
Patent Policy and Copyright Policy as approved by the Board of Regents of the University of 
Maryland, and as amended by them from time to time. Royalty income shall be allocated as set forth 
in those policies. 

Section 3. Warranty . 

Assignor warrants and covenants that he/she is an author or inventor of the Works and that 
as of the date of this Assignment, has taken no action respecting the Works which purports or 
attempts to transfer or encumber any right, title or interest in or to the Works to any other party; and 
covenants not to take such action in the future. 

Section 4. Jurisdiction . 

The validity, interpretation, and effect of this agreement shall be governed by the laws of the 
State of Maryland and of the United States of America. Any legal proceedings involving claims or 
disputes regarding this agreement shall be brought in the appropriate court in the State of Maryland. 

WHEREAS, the parties have caused this Assignment to be executed on the dates below. 



: Z' ^L*g*/C^/£S^ Date: (fjz^/c 



ASSIGNOR 
Agreed to by: 
Printed Name: Raadhakrishnan Poovendran 
ASSIGNEE (The University of Maryland) 
Acknowledged and Agreed to by: 



V^^James A. Poulas, II 



II 

YiI\q- Acting Executive Director 



Date: fVU) I, 1^ Q> 



